Shiro 权限绕过漏洞(CVE-2020-1957)复现

  • A+
所属分类:安全文章

漏洞分析


https://github.com/apache/shiro/commit/9762f97926ba99ac0d958e088cae3be8b657948d


主要是Spring web在匹配url的时候没有匹配上/导致绕过



Shiro 权限绕过漏洞(CVE-2020-1957)复现


Shiro 权限绕过漏洞(CVE-2020-1957)复现

环境搭建


下载代码


https://github.com/lenve/javaboy-code-samples/tree/master/shiro/shiro-basic


导入idea


修改Shiro版本1.4.2


<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.4.2</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.4.2</version>
</dependency>

Shiro 权限绕过漏洞(CVE-2020-1957)复现


修改ShiroConfig配置文件,添加authc拦截器的拦截正则


ShiroFilterFactoryBean shiroFilterFactoryBean() {
ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();
...
...
//map.put("/*", "authc");
map.put("/hello/*", "authc");
bean.setFilterChainDefinitionMap(map);
return bean;
}

Shiro 权限绕过漏洞(CVE-2020-1957)复现


修改路由控制器方法


@GetMapping("/hello/{currentPage}")
public String hello(@PathVariable Integer currentPage) {
return "hello";
}

Shiro 权限绕过漏洞(CVE-2020-1957)复现


编译并启动


Your-ip:8080/login

Shiro 权限绕过漏洞(CVE-2020-1957)复现


漏洞复现


访问/hello/1接口,跳转到了登录页面


Shiro 权限绕过漏洞(CVE-2020-1957)复现


加上斜杠,过了


Shiro 权限绕过漏洞(CVE-2020-1957)复现





发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: